Business email compromise actors working out of Nigeria have been targeting government healthcare agencies, COVID-19 research groups, and pandemic response bodies to obtain fraudulent wire transfer payments and distribute malware.

The attacks were discovered by Palo Alto Networks’ Unit 42 team experts and have been attributed to a cybercriminal group labelled SilverTerrier. SilverTerrier actors have been highly active over the past 12 months and are known to have carried out at least 2.1 million BEC attacks since the Unit 42 team began tracking their activity in 2014. In 2019, the group carried out an average of 92,739 attacks per month, with activity peaking in June when 245,637 attacks were detected.

The gang has been seen targeting exploiting the CVE-2017-11882 vulnerability in Microsoft Office to install malware, but most commonly uses spear phishing emails targeting people working in the finance department. The gang uses standard phishing lures such as fake invoices and payment advice notifications to fool recipients into opening malicious email attachments that install malware. A wide variety of malware variants have been used by the gang, including information stealers such as Lokibot, Pony, and PredatorPain and remote administration tools to maintain persistent access to compromised systems. The gangs deploy malware to steal sensitive information and gain access to bank accounts and payroll systems. BEC attacks are also conducted to complete fraudulent wire transfer payments.

Unit 42 experts have tracked the activity of three threat actors from the group over the past 3 months who, between them, have operated 10 COVID-19 themed malware campaigns on organizations involved in the national response to COVID-19 in Australia, Canada, Italy, the United Kingdom, and the United States.

Recent targets have included government healthcare bodies, local and regional governments, medical publishing companies, research businesses, insurance companies, and universities with medical programs and medical clinic. 170 distinct phishing emails have been discovered by the researchers, several of which related to supplies of face masks and other personal protective equipment.

SilverTerrier attacks grown by 172% in 2019 and Palo Alto Networks reports there is no indication that the attacks will drop off during 2020. Researchers said: “In light of this trend, we encourage government agencies, healthcare and insurance organisations, public utilities, and universities with medical programs to apply extra scrutiny to Covid-19-related emails containing attachments.”

As the attacks are mostly conducted by email, the best defense is training for staff to help them identify spear phishing emails and an advanced spam filtering solution to stop the emails from being sent to inboxes. It is also vital to check to make sure that the CVE-2017-11882 Microsoft Office vulnerability and to continue to apply patches quickly.